Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Huer virus, punnet.exe and some other Trojans


  • This topic is locked This topic is locked
6 replies to this topic

#1 to3mo

to3mo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 21 February 2009 - 02:40 PM

I was working on websites yesterday and was looking for some scripts in Java to do some functions and then randomly pop-ups ( 2 or 3 at a time ) started appearing on my desktop. Then my AVG anti-virus starts detecting random files in my win32 folder, that seems like legit files, and started labeling them as virus's and trojans. Aside for the Wind32/Heur, i have a Trojan horse Agent.AZRT, a Trojan horse Crypt.CPW and a Trojan horse Boxed.EE in my AVG Virus Vault. I ran MalawareBytes and it cleaned everything and doesn't detect anything anymore; my Ad-aware and SpyBot SD doesn't detect anything anymore either. The main problem is that every time I restart my computer, a bunch of applications crash and there's a window that just says "send error report" or "close". A quick example is that when i restart, nothing appears on my desktop so I press ctrl+alt+del to see whats running, then I have to manually start a new task for explorer.exe in order to see my desktop. It doesn't seem like the typical windows message when a program crashes, its a smaller window that I can't seem to describe right now. Aside from that, it seems that a bunch of windows files are infected and I can't even run my system restore or some other windows apps.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Emeric at 11:10:46.06 on Sat 02/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1313 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CcEvtSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN1.tmp
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\TEMP\z51vqpd.exe
C:\WINDOWS\TEMP\kvddd0vk.exe
C:\WINDOWS\TEMP\ktylkajfh5ji.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe C:\WINDOWS\TEMP\VRT8.tmp
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Emeric\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Active Desktop Calendar\ADC.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Emeric\reader_s.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\TEMP\winlognn.exe
C:\WINDOWS\TEMP\hhiefn2.exe
C:\WINDOWS\TEMP\u7bkcl2l.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Emeric\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\temp\init.exe,
BHO: c:\windows\system32\eawdh3hbg87dkjn.dll: {d5bf4552-94f1-42bd-f434-3604812c807d} - c:\windows\system32\eawdh3hbg87dkjn.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\emeric\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Active Desktop Calendar] c:\program files\active desktop calendar\ADC.exe
uRun: [lrijh8s73jhbfgfd] c:\windows\temp\winlognn.exe
uRun: [ik5y6wmfdztutzoacjqkzqcu5u78] c:\windows\temp\fhvxd47mph2.exe
uRun: [k9a7j2x5hy2uxjvrmlp1qfexvimm0f3329pe16y1eki0qf4] c:\windows\temp\gd3f8xby.exe
uRun: [fi39rlnyzfb2pga2hf1wssa1] c:\windows\temp\cjebwkc5qfk7m.exe
uRun: [z6jowx52acec27rb7g649kr2lcgl6ifcust8] c:\windows\temp\ti26tu9.exe
uRun: [avh34ivdq57hvzfog2c8krqada9sc1c7y2pai] c:\windows\temp\m96ircmacl2.exe
uRun: [jddy1xx98dmqnc2vnbhsg2oi872e2ge9w2z2hqg4xfqxautw] c:\windows\temp\x233viri8x.exe
uRun: [bsd0n89yxy0cadg3e7o7ez] c:\windows\temp\g1cdix.exe
uRun: [i6wpffshe4a2u457ogz9qi6xlyiwb6l3zys31ruujlcq9c] c:\windows\temp\sw8723grfk.exe
uRun: [pyyci8uya3g0vysjh72dawfhbqtgsyr] c:\windows\temp\xlxqc97avi6jq.exe
uRun: [fnztbljj9bwuog2e4y6r] c:\windows\temp\jxpqbfa.exe
uRun: [bkc3wglpdnsvo41lh7kmn2u5orwqg0j9lzm8slm] c:\windows\temp\klhl3fr.exe
uRun: [v87slvw5yxe9eddbksrqnyernkeiplqy8] c:\windows\temp\l89da0x0qmker.exe
uRun: [d66uh1ywh7cllwp5er27ipebf5b9rb3k98w1mgfl2sb03] c:\windows\temp\m1d8izqz0yx.exe
uRun: [azal42zlvvzq8a2tvw52z254bcejssizetxzotays8aany] c:\windows\temp\ykwf6hd7.exe
uRun: [ql4tiqk169u04nlh0rkqo4dgjshxj65djiy4lrd6] c:\windows\temp\rgcro5g1s.exe
uRun: [reader_s] c:\documents and settings\emeric\reader_s.exe
uRun: [k13at6olfuq95umdohbnoforwd39j03gmmo5izcln3zlt470] c:\docume~1\emeric\locals~1\temp\zgc3zb8g.exe
uRun: [mnzd0wja725zzogwlnynkjxiojx0mzyj4y9mzes5oij3bo] c:\docume~1\emeric\locals~1\temp\g574c7lb6o.exe
uRun: [z3z97vaztkinjtzxuf2xlqr] c:\docume~1\emeric\locals~1\temp\b7ncwpyeu.exe
uRun: [p15tmq3ayvm6k4e6yctifts2of7e7x] c:\docume~1\emeric\locals~1\temp\xorlx50p.exe
uRun: [pzplr0hi9aq9scyy34hvc5lg] c:\docume~1\emeric\locals~1\temp\eny6gh.exe
uRun: [e2ksjsd03626ffha85bgxjmsmcyopvwutl9kxx2idfv84uhs] c:\docume~1\emeric\locals~1\temp\uegimkyvi.exe
uRun: [zddy48rrttk7g3zc2qx] c:\docume~1\emeric\locals~1\temp\qg648mvsvp3k5.exe
uRun: [utnd79xo7wjvevjvmcttwmeb8i19gctzrcoz4itfjp1r] c:\docume~1\emeric\locals~1\temp\alnyrbpt.exe
uRun: [cmxss1lrw29jttxffe8gvsf5grinprc9bkg43x1] c:\docume~1\emeric\locals~1\temp\ju5s719.exe
uRun: [t8gdf0chhkwpuepiycwcjbj] c:\docume~1\emeric\locals~1\temp\bccwwn.exe
uRun: [tc2q19xf9j04io3j] c:\docume~1\emeric\locals~1\temp\e143h0r3ubi6s.exe
uRun: [jxzp4nv9thgpklghx21x8307bojzn9j0ib246] c:\docume~1\emeric\locals~1\temp\xox2o5.exe
uRun: [h0pp8ymzj2qm2hrd3k702tams0t6x2e] c:\docume~1\emeric\locals~1\temp\voag41km.exe
uRun: [rtna5t5v2jzb78l53] c:\docume~1\emeric\locals~1\temp\v0yg728jl5x.exe
uRun: [mu3881tyi3ul1cra9bptr6gu] c:\windows\temp\hhiefn2.exe
uRun: [f7nnbrv3hu5xrm17kn] c:\windows\temp\u7bkcl2l.exe
uRun: [erqbwhqvl9xgb52mjhp6a8jlug8dqxb4dsmmoqjmja] c:\windows\temp\uaf6vx0grm.exe
uRun: [py2fahpmwb9dglhvjyu] c:\windows\temp\ub3x7oz62tz.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [Jlalilitaciwima] rundll32.exe "c:\windows\Kkoloc.dll",e
mRun: [lrijh8s73jhbfgfd] c:\windows\temp\winlognn.exe
mRun: [Pzuzaqakoyupu] rundll32.exe "c:\windows\eqozawufilelufi.dll",e
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [reader_s] c:\documents and settings\emeric\reader_s.exe
dRun: [nubrd7k6swiqyxn2j] c:\windows\temp\rzo01ei.exe
dRun: [bv4lpy5h5nn29jk0gl7ou09e6qt5cb3ga8fz4rbz8] c:\windows\temp\hlk21v.exe
dRun: [hhbitzasfkmpqqkgom46h0fa8s4wpkn0] c:\windows\temp\z51vqpd.exe
dRun: [pehnczp6jtw24] c:\windows\temp\kvddd0vk.exe
dRun: [ysuhhjhkug9s0l6gp7vsw28vfhn5k4e1xgfvdipg667b] c:\windows\temp\cim1s3.exe
dRun: [dlgxjaftj0411uu3o5dv6r2a5byklpla18to0ps5mx8wuz8s] c:\windows\temp\ktylkajfh5ji.exe
dRun: [fsqfz7fcxmmkd246nvc4ujl8yw4wbp8othzk3i] c:\windows\temp\dmhpwpmqclud.exe
dRun: [f3xt8scd2ivmjrdq1rn2x1ii9bgsdpulvlzj4a49bhifz] c:\windows\temp\ie0nkioz8b5.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227294155500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\eawdh3hbg87dkjn.dll: {d5bf4552-94f1-42bd-f434-3604812c807d} - c:\windows\system32\eawdh3hbg87dkjn.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\emeric\applic~1\mozilla\firefox\profiles\r2ks9om8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\emeric\application data\mozilla\firefox\profiles\r2ks9om8.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\emeric\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\emeric\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {02D3E422-0212-4464-B155-1EE0EE236610} - c:\documents and settings\emeric\local settings\application data\{02D3E422-0212-4464-B155-1EE0EE236610}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-19 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-19 27656]
S3 PciCon;PciCon;\??\f:\pcicon.sys --> f:\PciCon.sys [?]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2009-02-21 11:08 1 a------- c:\windows\system32\B.tmp
2009-02-21 11:08 88 a------- c:\windows\system32\9.tmp
2009-02-21 02:51 1 a------- c:\windows\system32\1E.tmp
2009-02-21 02:51 88 a------- c:\windows\system32\1D.tmp
2009-02-21 02:31 134,144 a------- c:\windows\eqozawufilelufi.dll
2009-02-21 02:19 15,000 a------- c:\windows\system32\eawdh3hbg87dkjn.dll
2009-02-21 02:19 38,912 a------- c:\windows\Kkoloc.dll
2009-02-21 02:19 <DIR> --d----- c:\program files\Microsoft Common
2009-02-21 02:19 1 a------- c:\windows\system32\F.tmp
2009-02-21 02:19 88 a------- c:\windows\system32\E.tmp
2009-02-21 01:27 47,616 a------- c:\documents and settings\emeric\reader_s.exe
2009-02-21 01:27 105,030 a------- c:\windows\system32\CcEvtSvc.exe
2009-02-21 01:27 47,104 a------- c:\windows\system32\reader_s.exe
2009-02-21 01:27 37,888 a------- c:\windows\system32\8.tmp
2009-02-21 01:27 2,560 a------- c:\windows\system32\7.tmp
2009-02-21 01:26 41,473 a------- c:\windows\services.exe
2009-02-21 01:26 88,065 a------- c:\windows\system32\5.tmp
2009-02-21 01:26 24,577 a------- c:\windows\system32\4.tmp
2009-02-21 01:26 208 a------- c:\windows\system32\3.tmp
2009-02-21 00:43 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-02-20 15:16 32,768 ac------ c:\windows\system32\dllcache\cb32.exe
2009-02-20 14:11 <DIR> --d----- C:\ComboFix
2009-02-20 14:11 406,528 a------- c:\windows\system32\CF27089.exe
2009-02-20 13:57 616 a------- c:\windows\system32\50D.tmp
2009-02-20 13:57 2,560 a------- c:\windows\system32\506.tmp
2009-02-20 13:57 88,065 a------- c:\windows\system32\504.tmp
2009-02-20 13:57 208 a------- c:\windows\system32\502.tmp
2009-01-29 11:09 10,520 a------- c:\windows\system32\avgrsstx.dll

==================== Find3M ====================

2009-02-21 00:43 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-29 11:09 325,128 a------- c:\windows\system32\drivers\avgldx86.sys

============= FINISH: 11:11:34.28 ===============

Attached Files


Edited by to3mo, 21 February 2009 - 02:42 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 PM

Posted 21 February 2009 - 07:03 PM

Hi,

I have bad news for you :thumbup2:

I see you're dealing with Virut (or variant). In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 to3mo

to3mo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 21 February 2009 - 08:04 PM

Hi,

I usually have some sort of gut feeling when I reach a virus I can't fix myself and I was afraid it might come down to reformatting but I wanted to ask for advice on this forum before I did the tedious task.

Quick question, I've partitioned harddrive1 to a c:\ and d:\ drive, and harddrive2 to e:\, unfortunately my e:\ drive has a lot of my work some essential to my web sites that are .exe, would you think those are infected? or just the c:\ drive files? I've tried make sure that nothing in my e:\ drive has been tampered with and it seems safe so far but would it be safe to keep my e:\ drive untouched when I reformat or should i get rid of all those zip/rar/exe files on my e:\ drive as well?

Also, I'm on a network, are the computers on the network at risk also (the web post didn't mention this)? I've been checking my 2 roommate's computers and they seem fine, nothing fishy. And would I have to reset/restore my router, does it affect the router?

Thanks for the information, these forums are always really helpful and I appreciate everyone's help into fixing our problems.

-Emeric

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 PM

Posted 22 February 2009 - 04:44 AM

Hi,

Every exe on all of your drives may be infected unfortunately. This includes zip and rar files as well. However, you can take the risk if you think that your e drive seems to be safe so far.
You'll see it after you have formatted and reinstalled Windows. The format and fresh install of Windows should only take 20-30 mins. Once Windows is installed, then transfer one of the exe files present on your E to the fresh installed Windows and launch it.
You should notice it within a 10 minutes if you get reinfected again after you connect with the internet, because you should get a lot of errors, crashes, command windows opening etc etc.
So in case, you get reinfected, format your C again and your E as well. If the E was untouched, well, then you were lucky :thumbup2:

Also, keep in mind that all webpages (htm, html, asp, php..) are infected as well. They have a malicious iframe inserted which points to a malicious website. So, if you open the page, you'll get infected. This means, in case, while you were infected, uploaded some webpages or files, take them offline asap.
The offline webpages you've created are infected anyway. However, you can back them up, and disinfect them manually by deleting the iframe reference in it. But if the online files are not affected (the ones that were uploaded previously), then it's better to not backup any offline webpages. You can always download them again (the non affected ones) from your ftp (websites).

Also, I'm on a network, are the computers on the network at risk also (the web post didn't mention this)? I've been checking my 2 roommate's computers and they seem fine, nothing fishy. And would I have to reset/restore my router, does it affect the router?

Yes, computers in a network are at risk as well. Just watch it... scan with an up to date Antivirus on the other computers... and make sure the Antivirus is always enabled.
As far as I know, no need to reset/restore the router.

Extra note, your passwords may be known in a meanwhile as well, because the attacker had full access to your computer, so, also change all your passwords afterwards.

And main important thing....

Please read my Prevention page with lots of info and tips how to prevent this in the future.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Edited by miekiemoes, 22 February 2009 - 04:46 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 to3mo

to3mo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 22 February 2009 - 04:16 PM

Hi,

I've been checking with computers on the network and they seem fine. As for my e:\ drive, I've reformatted and installed programs and ran them from my e:\ drive and they seem to be virus free so I guess I'm really lucky. I should back up my work more often I guess. My webpages and web work on my e:\ drive are untouched also, so it seems that the virus completely ignored my e:\ drive but i'm still looking at my d:\ drive to see if anything has been touched.

Thanks for your advice, I think this is the end of the problem.

Emeric

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 PM

Posted 22 February 2009 - 04:24 PM

Hi Emeric,

Yes, it's indeed a good idea to back up more frequently.
I have Acronis True Image installed and create an image of my entire C frequently. So if anything happens, then I can restore it with that image. :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 PM

Posted 24 February 2009 - 08:44 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users